Getting Data In

Discussions

Thread Info

Find line number of search string in multiline event

I have multiline events and I need to identify which line number a search string appears in. Preferred would be a sol...

by Builder in

After rebuilding a Splunk server, is there way to centrally tell all my forwarders to resend all logs prior to the system going down?

Recently I had to rebuild our Splunk server. Luckily we had the config files so was able to get everything back up an...

by Engager in

Why is Windows event log message data being truncated and only the first 2 lines are getting forwarded?

Hi I am having a strange issue where some of the message or 'EventData' is missing from the forwarded Windows even...

by New Member in

When I try to add or delete port 9997, why do I get the same "Error occurred attempting to remove 9997...Could not find config id for port"?

When I try deleting port 9997, I get the following problem: Error occurred attempting to remove 9997: In handler '...

by Explorer in

Why is Splunk indexing two hostnames when I only have one set in inputs.conf?

I am monitoring two files: /var/log/secure and /var/log/messages In the Data Summary Hosts tab, I have two hosts: ...

by Explorer in

Is it possible to prioritize what data is forwarded from a heavy forwarder? (ex: security data first, then non-security data)

Hi everybody, I'm new in Splunk, so be gentle, please. So that's the scenario: I have a Splunk Heavy forward...

by Influencer in

How to assess improvement in network utilization after turning on compression on a universal forwarder?

Hi, I'm wanting to assess the improvement in network utilization after turning on compression. Is there any search...

by Communicator in

How to send logs from a Kiwi syslog server to Splunk?

How to integrate Kiwi syslog server with Splunk? I mean what configuration changes are required to perform on the kiw...

by Explorer in

delta report for multiple hosts

I have the following log messages coming from syslog-ng Jun 14 10:32:04 sc4-cron.mcafeesecure.com syslog-ng[2775]:...

by Explorer in

Configuring inputs.conf to send data to specific Index

I have a Splunk setup defined like: Universal Forwarder ---->Heavy Forwarder ------>Indexer I need that all the lo...

by Path Finder in

When parsing JSON events, why does Splunk round nanoseconds timestamp to 'none' and uses the indexed time as _time?

I'm having real issues in parsing JSON events. I have a distributed Splunk setup and I have tested uploading the logs...

by Path Finder in

What is recommended to get a Splunk universal forwarder to pick up data after a SQL server cluster failover?

Customer has many SQL Server clusters that are using Windows Failover Clustering. Splunk is installed at the node-lev...

by Communicator in

Where is the proper place to use INDEXED_EXTRACTIONS = JSON -- the indexer or a heavy forwarder?

https://answers.splunk.com/answers/174939/why-are-my-json-fields-extracted-twice.html shows this props.conf entry on ...

by Motivator in

How do I edit my props.conf for proper line breaking of my sample multiline event data?

Hello once again. Working with a distributed environment (Universal Forwarder > Heavy Forwarder > Indexer) I have a p...

by Communicator in

How to configure inputs.conf to monitor a directory with multiple folders, but ignore certain folders based on date in the path name?

Hi Now I'm working with many sub directories. I want to monitor some directories and don't want to monitor others...

by Explorer in

Replacing a search peer in an indexer cluster, will warm and cold buckets automatically be copied over when the new indexer joins the cluster?

We are replacing (upgrading to new hardware) an indexer that is part of an indexer cluster. In the cluster there are ...

by Contributor in

How to get a scripted input to do something and then restart Splunk?

So I am working on handling variable situations in a deployed environment so the way I was solving this issue was to ...

by Communicator in

How to troubleshoot why I'm not getting any data from our Splunk forwarder for these perfmon counters?

Hi, I'm trying to get Splunk to return the below Perfmon Counters, but am getting no results: \SQLServer:Locks(...

by New Member in

Error: Could not create Splunk settings directory at '\\MYUNCPATH\user\.splunk'. When using 'Splunk reload deploy-server' on Windows 2012

Hello. I am getting this UNC path error when I try to execute Splunk reload deploy-server: Could not create Splunk...

by Engager in

Has anyone compared the performance and resource usage on a universal forwarder versus a full Splunk Enterprise install for a simple inputs.conf?

All, I have a couple small use cases where a full install of Splunk with the GUI disabled might be better than us...

by Builder in

Can a macro be created for an application based on the application setup.xml?

Our server can input data into Splunk either via Syslog or Http Event Collector. In our Splunk application, we want t...

by Contributor in

How to configure a universal forwarder to send data to a specific index on our Splunk Cloud instance?

Hi, I'm trying to send data to a specific index on our Splunk Cloud instance I've tried several methods found i...

by Motivator in

How to troubleshoot why universal forwarders are reporting "Could not send data to output queue (parsingQueue), retrying..."?

I'm getting this message below on Universal Forwarders' splunkd.log... INFO BatchReader - Could not send data to ...

by Builder in

How to configure all forwarders from an old deployment server to a new deployment server?

We are migrating deployment-apps, Forwarders, from one Deployment server to another Deployment server. In the process...

by Engager in

How do I fix a large amount of duplicate events that are locking out my instance?

I've been tasked with installing Splunk Cloud on our hosted Windows environment, and I'm running into issues getting ...

by Engager in

Get Updates on the Splunk Community!

Getting Data In

Discussions

Find line number of search string in multiline event

After rebuilding a Splunk server, is there way to centrally tell all my forwarders to resend all logs prior to the system going down?

Why is Windows event log message data being truncated and only the first 2 lines are getting forwarded?

When I try to add or delete port 9997, why do I get the same "Error occurred attempting to remove 9997...Could not find config id for port"?

Why is Splunk indexing two hostnames when I only have one set in inputs.conf?

Is it possible to prioritize what data is forwarded from a heavy forwarder? (ex: security data first, then non-security data)

How to assess improvement in network utilization after turning on compression on a universal forwarder?

How to send logs from a Kiwi syslog server to Splunk?

delta report for multiple hosts

Configuring inputs.conf to send data to specific Index

When parsing JSON events, why does Splunk round nanoseconds timestamp to 'none' and uses the indexed time as _time?

What is recommended to get a Splunk universal forwarder to pick up data after a SQL server cluster failover?

Where is the proper place to use INDEXED_EXTRACTIONS = JSON -- the indexer or a heavy forwarder?

How do I edit my props.conf for proper line breaking of my sample multiline event data?

How to configure inputs.conf to monitor a directory with multiple folders, but ignore certain folders based on date in the path name?

Replacing a search peer in an indexer cluster, will warm and cold buckets automatically be copied over when the new indexer joins the cluster?

How to get a scripted input to do something and then restart Splunk?

How to troubleshoot why I'm not getting any data from our Splunk forwarder for these perfmon counters?

Error: Could not create Splunk settings directory at '\\MYUNCPATH\user\.splunk'. When using 'Splunk reload deploy-server' on Windows 2012

Has anyone compared the performance and resource usage on a universal forwarder versus a full Splunk Enterprise install for a simple inputs.conf?

Can a macro be created for an application based on the application setup.xml?

How to configure a universal forwarder to send data to a specific index on our Splunk Cloud instance?

How to troubleshoot why universal forwarders are reporting "Could not send data to output queue (parsingQueue), retrying..."?

How to configure all forwarders from an old deployment server to a new deployment server?

How do I fix a large amount of duplicate events that are locking out my instance?

Demo Day: Strengthen Your SOC with Splunk Enterprise Security 8.1

Dashboards: Hiding charts while search is being executed and other uses for tokens

Splunk Observability Cloud's AI Assistant in Action Series: Explaining Metrics and ...

Splunk Answers Content Calendar May 2025 🎉

Solaris UFs have different build hash than others

Edge Processor Destination not showing up in Pipel...

ERROR: Tor IP are not updating in lookup

How to integrate SentinelOne Singularity Enterpris...

Getting Data In

Are you a member of the Splunk Community?

Discussions